Web Based Turbo Tax Disclosure Vulnerability Found

Anonymous MPLS Coward writes "Looks like the web-based Turbo Tax was allowing some users to look at other user's tax return information. Reports state that things like bank routing information was available as well as SSNs. Turbo Tax software was unaffected; the bug is in the web-based Turbo Tax service."

Penalty for the developers

[davidmillions.com]

Companies should be penalized for something so severe to let them know that they need to do a better job in the future.

Re:

[HomelessInLaJolla]

That'll happen the same day the government accepts penalty and responsibility for laws passed outside of its jurisdiction.

Re:

[davidmillions.com]

Great for you and me (I use TaxAct), but what's preventing from other companies into being sloppy too?

Re:

[j1m+5n0w]

According to capitalist theory, good companies with solid products should be preferred by consumers and dominate the market.

The trouble with the theory is that consumers are, in most cases, unable to evaluate whether the companies that make the products they use employ good security practices (and will continue to do so in the future). See information asymmetry [wikipedia.org].

Re:

[Propaganda13]

I haven't used an Intuit program since they installed the C-Dilla malware with Turbo Tax. That was a greater breach of trust than this slip-up. There's a good chance that any company will have a problem sooner or later. It's the frequency of the problems, how they handle the problems, and their overall view of their customers that matters.
Two companies that I won't buy from
Intuit - adding malware to tax software - I'd be annoyed if a game did this, but having financial software do this crosses the line.
Iome

Re:

[Heembo]

Isn't that the Gramm-Leach-Bliley act?

Re:Penalty for the developers

[CodeBuster]

Agreed. This is the same kind of crap that I see all of the time from inexperienced developers (especially offshore developers in India). They make all of the classic mistakes, client side javascript for input validation, use of query string parameters with the the SQL command builder on their pages (SQL injections galore), administrative query access to the SQL server directly from the web server, "secret" admin pages, cross-site scripting, you name it and they do it. The problem with a significant portion of the Indian developers is that they are are too busy waving their IIT degree, ISO certs, and other documentation of their extensive education, which taught them everything they needed to know, so they don't need to listen to American devs who have a few lessons left to teach them from school of hard knocks. They suffer from the "not invented here" syndrome, sometimes to an extreme, and thus earn themselves nasty surprises when the attack finally comes and catches them completely flat-footed. The really sad part about all of this is that same types of attacks are used again and again and the same developers keep building vulnerable sites again and again...even long after the attacks are known and proper designs have been presented on many developer forums to avoid these problems (i.e. use stored procedures, limit database permissions to those stored procedures only, don't use the query string for sensitive data, use regular expressions to validate user input data on the server side, etc...)

If you want American

[wytcld]

There's one tax software company doing their programming entirely in America, TaxAct (2nd Story Software [taxact.com]. I haven't used their Web version, but their Windows version runs nearly flawlessly under Wine on Linux (there are minor problems with checkbox and drop-down list display on screen while filling out forms, but those show up correctly in the print preview and output). I've used TaxCut and TurboTax in past years; TaxAct doesn't have silly videos included, but it's efficient and effective.

I share the caution about Indian programmers. I just dropped checking and savings accounts with Ameriprise (formerly Amex Bank), because in the several years since they shipped the programming off to India they still haven't gotten their site to work reliably in its basic operations. Even before security is considered, the incompetence is amazing. Now I'm seeing a downgrading in the usability of CitiBank's Website, where there's also been extensive recent offshoring - they can't be bothered to test for obvious JavaScript bugs that block Mozilla, for example, even though previously they'd officially and effectively supported Mozilla/Netscape for years. (Hell, I do work for financial firms in NYC that don't even allow their own people to browse with IE.)

Re:

[Skye16]

In all fairness, using JS for client-side validation *as well* as implementing server side validation is okay. After all, it's better for the user if they know they fucked up immediately rather than sending a request to the server and waiting for a response (both for the client (realtime response) and you (slightly lower server load).

But I digress.

Re:

[GWBasic]

Agreed. This is the same kind of crap that I see all of the time from inexperienced developers (especially offshore developers in India). They make all of the classic mistakes, client side javascript for input validation, use of query string parameters with the the SQL command builder on their pages (SQL injections galore), administrative query access to the SQL server directly from the web server, "secret" admin pages, cross-site scripting, you name it and they do it.

I get the impression that the woman wh

Re:

[k1e0x]

..And who would do the penalizing? The government? What type of law would we have them write?

The fact is they are penalized.. Its just not as visible as the flogging in the street you seem to be calling for. They could be sued, and are going to loose business over this.

Re:

[iamacat]

Companies should be penalized for making web software when only a native, mostly-offline client would be appropriate for customer's confidentiality.

Exaggerated synopsis

[SpiffyMarc]

The synopsis makes it seem like this was a bigger deal than it is. If this was actually in the wild, or exploited, that'll be big -- but as the article is written, one person stumbled across this problem, reported it, and Intuit fixed it.

Re:Exaggerated synopsis

[HomelessInLaJolla]

Nothing is ensured, though. If one random user can happen to stumble across a flaw then there are probably ten or twenty other flaws which can be found by more detailed analysis of the code.

The original software authors probably already know most of them and are happily passing that information along to their friends in political office--or to their cohorts on IRC.

Re:

[Sam Ritchie]

How is the (paraphrased) comment "software probably contains bugs" insightful?

Re:Exaggerated synopsis

[LighterShadeOfBlack]

If this was actually in the wild, or exploited, that'll be big

How do you know it wasn't? This isn't the kind of thing where if it's being exploited people would know it. If the wrong person discovered this first then obviously they wouldn't be running around telling people that they'd found a security hole which they were currently exploiting for their own personal profit.

Re:

[scottrocket]

"If the wrong person discovered this first..." I was afeared this might happen, which is why I stopped using Turbotax online many years ago; I now go to a bunch of sweet ladies who always seem to get the work done much quicker!

Re:

[uofitorn]

If this was actually in the wild

Well, it was in the wild. It was on their production website, accessible to the public. Any number of less well intentioned individuals could have taken advantage of the flaw before it was actually reported to Turbo Tax.

If it was in beta or development code, and the flaw was found internally, then it would be as you say.

Re:

[fimbulvetr]

...Smoke and mirrors comment...

The plain and simple fact is that this should have never happened. There should be *authentication* mechanisms in place to prevent logins from seeing any more than exactly their information. Anything beyond that is absurd and screams to be insulted.

In security its never a question of where or how far advanced a public/wild an exploit is, it's if the potential exists. Anything else is damage control, and that's what you're attempting to do.

Re:

[Ucklak]

one person stumbled across this problem, reported it,

... and the 1000 other crackers (hackers if you're offended by the cracker label) would just harvest information and sell later.

Come on, in the restaurant business, for every one that complains, there are 10 that don't. 3 of the 10 never come back.

This is horrible on Intuit's part.

not fixed

[r00t]

They claim to have REMOVED THE LINK.

Removing a link to a web page takes the "feature" away on the server...? Idiots.

Re:

[syphax]

What's unknown is how many people stumbled across the problem and did not report it.

I really like the web version of Turbo Tax, but things like this leave me very nervous.

Wearing Jackets with Bull's Eyes

[bill_mcgonigle]

The Turbotax.com offering really does sound like a good idea, for the taxpayer, but I still bought the boxed version and won't E-File. These guys are taking perhaps millions of people's sensitive data online, into a database that's Internet accessible. Even if their admins have done the best possible job (let's assume they have) their software has undiscovered vulnerabilities, at least as far as the whitehat community is concerned.

Now, factor in the fact that there is a smart blackhat community and this database is about the most delicious thing an high-tech organized-crime-sponsored identity thief can imagine - and sometimes it just doesn't make sense to walk around wearing a jacket with a bull's eye painted on the back, even if you're not a coward.

As far as not E-filing, it also costs the IRS more to process, so that at least helps to keep one more negative about the income tax on the board.

Re:

[Jose]

Now, factor in the fact that there is a smart blackhat community and this database is about the most delicious thing an high-tech organized-crime-sponsored identity thief can imagine

yep, that's a pretty juicy target...a more juicy target would be the IRS's DB, which must be at least somewhat available online (think e-filing). Even if you don't e-file, your data is going to end up in a DB at some point, so don't feel too safe.

Re:

[bill_mcgonigle]

a more juicy target would be the IRS's DB, which must be at least somewhat available online (think e-filing).

Yeah, I should have clarified in my post - with the TurboTax database, as I understand it, you don't have to do your entire return at one sitting, so you can come back to it. That makes perfect sense for the user. But it also means the data has to be retrievable from the website.

With the IRS, they can, in theory, have a gate in place that makes the E-file transactions one-way. Some TLA agencies us

Re:

[Jose]

With the IRS, they can, in theory, have a gate in place that makes the E-file transactions one-way. Some TLA agencies use XML bridges for this kind of setup. At least it's possible, and I hope they do it.

yep, that would be a great way to help protect the database, but everything in front of that is still a single point of attack.

I'd imagine that the monitoring around those systems is massive, and the security/setup is top-notch...but as always, it just takes one mistake :(

Re:

[bill_mcgonigle]

I'd imagine that the monitoring around those systems is massive, and the security/setup is top-notch

We'd also think the FBI and FAA would have decent computer systems, but they're classic IT boondoggles. Let's hope the IRS does better. Heck, they ought to let the Post Office run their systems. ...but as always, it just takes one mistake :(

Or none if they get zero-day'ed. I'll second your :( .

How good is IT at the IRS?

[yuna49]

I'd imagine that the monitoring around those systems is massive, and the security/setup is top-notch

You'd think so, but what evidence we have doesn't confirm your optimism:
http://www.treas.gov/tigta/auditreports/2007report s/200720048fr.html [treas.gov]
http://www.fcw.com/article98135-04-03-07-Web&print Layout [fcw.com]

The first article covers unsecured taxpayer information on IRS laptops, a problem the audit agency raised in 2003 which has yet to be addressed fully by the IRS. The second discusses more general security issu

Re:

[ceejayoz]

As far as not E-filing, it also costs the IRS more to process, so that at least helps to keep one more negative about the income tax on the board.

Huh? You do realise that in the governmental mind "costs more to process" translates to "collect more taxes to cover it", not "maybe we should abolish income tax", right?

Re:

[bill_mcgonigle]

Huh? You do realise that in the governmental mind "costs more to process" translates to "collect more taxes to cover it", not "maybe we should abolish income tax", right?

Yep, I'm talking about when the argument comes, not the change in my pocket today. If the IRS has no administrative overhead it'll be harder to topple. If it's very expensive it can be shown as an inefficient mechanism (and therefore unfair) for taxation.

Re:

[ceejayoz]

It'll never get toppled. They'll just make efficiency measures, like requiring you to e-file.

Re:

[Ken D]

Here's my problem. Why should *I* pay more, so that *they* save money? E*filing should grant you a credit on your return, not a bill.

Re:

[ceejayoz]

If it makes you feel any better, just assume some of Bush's tax cuts were a result of increased e-filing.

Re:

[SeaFox]

The Turbotax.com offering really does sound like a good idea, for the taxpayer, but I still bought the boxed version and won't E-File. These guys are taking perhaps millions of people's sensitive data online, into a database that's Internet accessible. Even if their admins have done the best possible job (let's assume they have) their software has undiscovered vulnerabilities, at least as far as the whitehat community is concerned.

Yup, I filed online for the first time this year (using TurboTax Online, sadl

Re:

[Red Flayer]

As far as not E-filing, it also costs the IRS more to process, so that at least helps to keep one more negative about the income tax on the board.

Ah, yes, the old we-don't-like-government-waste-so-we'll-add-some-m ore-voluntarily.

The security concerns about e-filing are real (which is why I don't do it either). But is it really likely that the government will stop collecting taxes just because it's more expensive than not collecting taxes? No -- the collection cost will just continue to be passed on to

Re:

[bill_mcgonigle]

Ah, yes, the old we-don't-like-government-waste-so-we'll-add-some- m ore-voluntarily....But is it really likely that the government will stop collecting taxes just because it's more expensive than not collecting taxes? No -- the collection cost will just continue to be passed on to us.

I can't tell if you're misunderstanding or misrepresenting, but I'll try to be more clear:

When debating various forms of taxation, efficiency is a factor in determining appropriateness, fairness, and desirability.

Re:

[ceejayoz]

When debating various forms of taxation, efficiency is a factor in determining appropriateness, fairness, and desirability.

I suspect "I refuse to take already existing measures to improve efficiency just to bolster my side" doesn't win you debate points.

Re:

[bill_mcgonigle]

I suspect "I refuse to take already existing measures to improve efficiency just to bolster my side" doesn't win you debate points.

That would be a conflict of interest. Fortunately, I'm not the one debating, just doing my part to bolster the side of the debate I favor.

Re:

[necro81]

My objection to E-Filing is that I have to pay for it. To E-File my federal and state returns, generated by software running locally on my computer, would have cost me about $30 above the cost of the software. Why? It is not the IRS that charges this fee, it is the tax preparation company. It was a sweetheart deal made in some back room years ago - the IRS will not accept E-Filings from private citizens except via a tax preparation company, who is able (even encouraged, I'd say) to collect a fee for shi

My tax software is grey and squishy.

[maxume]

Pen and paper have the added advantage of making people think you are crazy.

No!

[Bluesman]

Not my bank routing number!

Someone please fix this before someone finds out how to deposit money into my account!

Re:No!

[ZorbaTHut]

I am currently holding in my hand a wire transfer request, dating from a few months ago when I sent money to a friend with an unexpected catastrophe. It asks for very few things.

* Date/time of original request
* "Teller ID" (I called them to ask how to do this and they gave me this bit of information)
* Member name
* Member number (this is embedded in the routing number for my savings account)
* Daytime phone
* Amount
* Information on who gets the money
* Signature

The only parts of this which could be used for authentication:

* The fact that I called
* My name
* My member number
* My phone number
* My signature

Given my tax forms, one could easily find my name and phone number, and if I had chosen the option to wire to or from my checking account, my member number as well. (This is why I would have sent a check, although that doesn't help particularly since the number is still written on the check. I got a refund, however, so they'll be sending me a check instead and I don't have to worry about that particular hole.)

Calling them is easily doable by someone who isn't me. My signature, as much as I hate to admit it, is awful and pretty easily forgeable.

So, in summary: the information on a tax return is a significant fraction of what is needed to withdraw money from someone else's account. It may not be enough. But it certainly helps.

Re:

[AmberBlackCat]

I'm pretty sure the name, address, account number, and routing number, are all you need to do an online check.

Perhaps we're looking at this the wrong way

[psaunders]

Think of it more as a useful, undocumented feature. Not only can you do your own tax return online, now you can do other people's! Well done to the good folks at Turbo Tax for coming up with it.

Re:

[Beryllium Sphere(tm)]

Wikireturns! People can collaborate on filing them.

Re:

[indifferent children]

Wikireturns! People can collaborate on filing them.

And if there's fraudulent information submitted, 50000 people spend 2 hours in jail.

Oh, swell!

[Tokerat]

I just filed my taxes with TurboTax Online! Great, now I'm going to be hacked, and then audited and the IRS is going to repossess all of my belon

NO CARRIER

Re:

[maxume]

That's not how you would start spelling bologna.

Until...

[Lead Butthead]

Until penalties for data breach has some serious teeth (say, for every dollar of loss inflicted on the customer, fine the offending company ten dollars) companies will never take the security of customer data seriously.

Re:

[maxume]

You have to balance a punishment like that against encouraging disclosure. Personally, if my data is lost, I'd rather be sure I hear about it than have the government make a buck.

Re:

[Beryllium Sphere(tm)]

Well, if the government makes a buck it's because they found out and started a proceeding that's part of public record.

Where you're absolutely right is that we want to offer incentives for not covering things up and for sharing enough information to improve security in general. The aviation industry does this right: they publish accident reports, whereas Intuit is keeping quiet about what kind of vulnerability they had.

Re:

[joeytmann]

Good point, but I like the customers getting feed up and leaving the company for some other product. Would hurt the bottom line way more than a fine.

I'll never go near turbo tax again.

[Darth_brooks]

I overpay my taxes every year. It's a few extra bucks out of my check that I don't notice, and I get a nice refund from the government. Yeah, I know I lose money on the deal based on inflation, since the money I let the feds hold doesn't earn interest. But it works out to a couple dollars a year at most based on what I'm paying, and getting the extra check works out well for me at the beginning of the year.

So two years ago I was filing with turbo tax. I'd been using it for a couple years with no problems. My taxes are simple; no house, no kids, no tax shelter investments. Just a handful of numbers on a W2, to the point where I could just as easily fill out the forms by hand, but I liked the convenience. Now, I overpay by ten bucks every week. 40 bucks a month * 12 months = $480 per year that I should get back (based on my tax bracket at the time) no matter what. My average refund was usually a couple hundred over that, and had been for the years prior. I've cut the feds a check exactly once since I started working 12 years ago.

So what did I get when I used turbo tax that year? They had me paying an additional 280 bucks! I went over that return with a fine tooth comb. All my numbers were right, every box was checked, every i was dotted and t was crossed on my end, and the software was up to date, but Turbo Tax said I owed the feds money. I broke out the disaster recovery computer (also known as a pen & paper), and did my taxes by hand and by the book. Result? My usual refund of around 700 bucks. On a lark I tried Taxcut. Same result, $700-ish refund.

Tax software (at my level anyway) should be no more complicated than a freaking spreadsheet. If they can't get that right for me, I shudder to think what kind of screw ups they've had for people who have real returns to file. At least I got a good lesson in double checking someone else's math.

Re:I'll never go near turbo tax again.

[ptbarnett]

You probably made a data entry error in TurboTax -- not necessarily entering the wrong amount, but clicking the "yes" button when you should have clicked "no" (or vice versa).

Based on the difference in taxes ($280 owed vs. $700 refund = net $980) and presuming a 28% marginal tax rate, the difference in taxable income was $980 / 0.28 = 3,500).

The personal exemption was $3,100 for tax year 2004. All you had to do was enter the personal exemption incorrectly (as in accidentally tell it you could were being claimed as a deduction on someone else's return), and you would have gotten the results you observed.

If your taxes were that simple, just looking at the generated 1040 (or 1040A) would have revealed whatever error (yours or theirs) that was occuring. So, I'm skeptical of your claim.

Re:

[nametaken]

You should've seen what TurboTax (boxed) did when I let it import data from one of my brokerage accounts. It told me I owed about $2,900. I just about had a heart attack until I realized that it took incomplete data (no purchase dates or prices), didn't warn me, recorded all the sales as income and added it to what I owe against.

I called an accountant instead and ended up eating the cost of TurboTax.

Re:

[ptbarnett]

You should've seen what TurboTax (boxed) did when I let it import data from one of my brokerage accounts.

I had the same problem a few years ago when I tried to import data downloaded from my brokerage. But, I knew to check it carefully, because I download transactions into Quicken throughout the year, and knew that they are often mis-classified by the brokerage (or perhaps the service they use to provide them for download). I carefully compared them to my year-end statement and corrected any errors. I

Paper wins again.

[SeaFox]

I've been doing my own taxes on paper since I was 16 (and back then I was having to file self-employments taxes and commercial schedules). This year, in the interest of getting my refund sooner (not that I really needed it fast) and avoiding transcription typos at data entry, I files electronically online, using the free TurboTax Online.

This is what I get.

Re:

[SeaFox]

Exactly, taxes aren't that complicated. I even did my taxes on paper like I usually do before I went online, and doing them online didn't make a bit of difference in my refund amount, just as I knew it wouldn't.

The problem is everyone treats taxes like a lottery, they think if they let a "professional" do them they'll get some big windfall. Two flaws in this thinking:

• Tax preparers don't use a separate set of tax laws, nor do they make up records out of midair. Everything they do you can do yourself with th

This is nothing new

[msblack]

On-line websites have been a major source of information security breaches. A few years ago I was able to perform reverse-directory lookups on Verizon customers. Their DSL registration website was one such problem. After a customer entered his/her telephone number to verify DSL availability, the website displayed the corresponding customer's name and billing address, asking "is your information correct?"

Re:

[Jables]

Huh? Reverse number lookups have been around for a long time. You didn't need to do a DSL search, just click on the "Reverse # Lookup" link on Verizon's Support page [verizon.com]. The fact that it was really hard to do this in a phone book in the old days doesn't make it a "security breach" on the web.

Re:

[ezzewezza]

On-line websites have been a major source of information security breaches.

SO TRUE! We should all be using off-line websites. They are MUCH more secure.

Check out Canada's security requirements

[eric31415927]

The Canada Revenue Agency sets up security rules here in Canada for third-party e-filers:
http://www.efile.cra.gc.ca/eol-security-e.html#con f [cra.gc.ca]

The article didn't mention what sort of security rules are enforced in the US.
Does the IRS have similar rules to what we have in Canada?

Re:

[gnuman99]

Huh? What guidelines? The only guidelines are "try to be careful and warn users their tax data is stored on your servers". That's the extend of what you are asked to do for web based solutions. I know this because I'm writing one of the software that has NETFILE in CCRA. And no, our product will NOT be web based for exactly the reasons of security. People that can't install simple software (it's 3 clicks!) should not be doing their own taxes. Go to H&R or similar (family?) to help you out.

As currently i

Here's a genius idea

[Corporate Gadfly]

Why doesn't he government provide online tax processing website? That way, if the site gets hacked its the government's problem. And your hard-earned tax dollars go towards a service that you can ACTUALLY use. Nay sayers, might say well what about the tax software industry? How many jobs will be lost? And I say to you, screw that. The tax software industry has milked the cash cow dry. Then again, I might be dreaming and this will never happen.

Re:

[Arkaine101]

Why doesn't he government provide online tax processing website?

Lobbyists representing tax-preparation agencies like TurboTax.

Re:

[Techman83]

In Australia the Government provides software to do your tax online. I've been doing it like this for the past 3 financial years. It is far easier and explains a lot more then the paper return you fill out. If you have a refund it is deposited into your account within 14 days. The paper "Tax-Pack" is utterly useless in comparison.

Re:

[Zontar_Thing_From_Ve]

Why doesn't he government provide online tax processing website?

Because one of the mantras of a Republican controlled US government (remember, that the Republicans controlled both the White House and Congress from 2001 until this January) is that private industry always does a better job. Another mantra, which also applies, is that the free market solves all ills. That's why Uncle Sam doesn't do what you suggest.

Re:

[DragonWriter]

Why doesn't he government provide online tax processing website?

Because politicians get massive campaign contributions from the industry that provides software and services for tax processing, and generally believe in not biting the hand that feeds them lavishly, and because their is no public outcry for this that would offset the allure of the campaign cash. Politicians don't, mostly, lead even if they get called "leaders", they follow, and what they mostly follow is money, though a clear enough weight of

Not the first time this year!

[SD_92104]

It is very scary to see how much value Intuit seems to put to customer's data and how much they learn from past mistakes...

On January 6th this year I received an email from TurboTax Online with the subject
"TurboTax User ID Enclosed: Online Products Now Available!"

Problem being that - in addition to my UserID - it also contained two other (seemingly random) UserID including a live link to their login pages. I tried to be nice and alert them of their security problem but it was not easy. After hunting through the website for a feedback/support link I could only find an online chat with one of their support people. It took me close to an hour to tell her about the problem (it somehow didn't seem to fit into her questionnaire flow chart...) and she promised that she would pass the information on to the tech department and that they would get back to me (yeah, right!). I also asked her repeatedly to delete my account including all data and she said it couldn't be done and that I wouldn't have anything to worry about as the data would be safe on their servers - apparently not.

Guess I should have been a little more aggressive and tell some news outlet about the problem than thinking that their internal procedures and security audits would be sufficient without additional pressure. I decided after that email to never again use the online TurboTax version (I never actually filed from it before as it was a little too limited) and looks like I made a smart choice.

Web-based taxes

[Jonathan McDowell]

Of course, TurboTax's web based form is one of the few options for Linux users..
I tried a bunch of different sites; of course there's no excuse for a purely web-based
service to be incompatible, but of course they mostly are! In contrast,
I have had good experiences with Turbotax for the past couple years. And so far
the contents of my bank account haven't vanished .... well actually they did,
but that was because I spent all the money...
Any recommendations for full-featured tax services that work well on
firefo

H&R Block

[Lish]

H&R Block had a similar issue with their online tax prep software back in February:

news.com.com article [com.com]
Businessweek article [businessweek.com]

Re:

[DCMonkey]

... of 2000

Bank routing information is public, isn't it?

[AxelBoldt]

I have to assume that bank routing information is public, or else banks wouldn't print it in clear text on every single check, along with full address. Is there anything evil I can do to you if I had your bank routing information?

In Germany many people put their bank routing information on their letter head, so that people can easily transfer money to them.

Re:

[karmatic]

Well, with ACH access, you can withdraw (or deposit) any arbitrary amount (with sufficient funds) from (or to) almost any account in the United States.

Does that count as evil?

Re:

[AxelBoldt]

Why would the bank hand my money from my account if I didn't authorize it? If the bank is being defrauded I can't see that as being my problem.

Re:

[equivocal]

Why would the bank hand my money from my account if I didn't authorize it?

1) Because the bank serves commercial interests. Consumers are not allowed to protect their accounts. That would raise the cost of extracting money from the account. My bank claims it's by law, but more likely it's just their policy so the won't annoy their corporate peers.
2) Authorization is now implied by writing a check or otherwise specified in terms of service (cell phone, cable TV, etc.).

If the bank is being defrauded I

Re:

[karmatic]

Why? Because that's the way the ACH works.

As for it not being your problem, the burden of proof is on you to demonstrate that it was fraud. Good luck with that.

Re:

[nametaken]

Oddly I had to authorize a family member to use my checking account before they were able to do deposits for me. I was using BankOne before it was bought up in the last year or so.

Re:

[mutterc]

checks are inherently insecure

That's true. Technically, if you have a check from someone, you could clean out their account through electronic transfer. Heck, that's similar to what big credit card companies do now - when you send them a check in the mail, they EFT the money from your account, then destroy the paper check, so it must be possible.

If I were to ever pay for stuff with checks in person (I usually just use plastic), I wouldn't mind giving it to the cashier, for the same reason I don't mind giving them the plastic: the pa

Simple tax software

[ingo23]

I have been using TaxAct for 3 or 4 years now. They have a free downloadable version (as well as web based one). This year they had free e-file as well (before they charged $10 or $12 for e-filing). If your finances are rather simple - it should be covered (I did a Schedule C without a problem). I assume if your situation is more complicated - you'd better hire a CPA.

As for the web based tax preparation - I've never used it. I prefer to keep that kind of data behind my firewall and backed up on my CDRs...

I owe again this year...

[AmigaHeretic]

I don't suppose their is a way someone could steal my SSN, Name, address, etc.. and somehow use all this information to pay my taxes for me this year could they?

If so I'm going to recomend Turbo Tax to all my friends!

And where should I have heard this from?

[th3rmite]

I'm pretty upset reading this article due to the fact that I have been faithfully using Turbo Tax for 7 years now, this year included, and I have yet to receive an email form them along the lines of "Your information might have been compromised." Shouldn't the customers be the first ones to hear about this? Thank god I read Slashdot.

Avoidable risk.

[russotto]

I may be a crusty old Luddite, but this is why I do my taxes the old fashioned way -- with TurboTax on my personal machine. (I tried TaxCut the year that Intuit put DRM on, even though I use a Mac, and found it buggy and inferior). I want the data to remain as much under my control as possible. I send it in on paper, too, though that's because I'm too cheap to spend my money to reduce their costs rather than a concern over a compromise of the E-file database.

It's true that the data is still vulnerable at

My 2 cents

[Jsox]

I actually work for Turbotax in the Technical Support Division. Actually to be specific I work for another company and they outsource their support through us. They do the same for many other offices through different companies, including outsourced Sales people in India, and an office in the Phillipines. Most chat agents are from India.

I've been using Turbotax over the past 5 months for roughly 600 hours and there's a few things I can say about the program. First and foremost, it's very rarely wrong.

Re:

[hidave]

Nice to actually know there are human beings at TT. I've used desktop TT for several years (maybe ten), and it gets more and more complicated with less and less visibility into whata is actually being done. But what else is one to do these days? Before TT, I used TaxCut, but it always had bugs. Next year, old bugs fixed, new bugs present. Anyway, one problem I had with TT this year was it would not save certain data. For example, whenever I'd visit the dependent page where it asks one to check any of severa

TurboTax and Security

[bmeighan]

There is a post on the TurboTax site (http://turbotax.intuit.com/tax_products/turbotax_ advantages/secure.jhtml;jsessionid=FQK0HSUDKCVCMCQ IAURRYUQKBACREF4K [intuit.com]) disclosing and providing more facts on this issue. The issue does NOT affect the TurboTax Online application. Bob Meighan VP, TurboTax

Re:

[PetManimal]

I am a long-time user of TT software (CD ROM version, and for the past four years, the Web version). I was always a little suspicious of your company's promises about security [computerworld.com] and now I can see that I was right to be skeptical.

So Bob, could you clarify exactly what happened with this customer in Nebraska? You said that the vulnerability does not affect the TurboTax Online application, yet the user in Nebraska says she was able to access other people's returns using your online service, and one of your em

Re:

[bmeighan]

PetManimal... Thanks for your loyalty to TurboTax software and your feedback.

This was a single, isolated case of one customer gaining access to prior year tax returns of three customers. The sequence of events and keystrokes used by the customer to gain access were unusual and in an area of our web site rarely used. Since that time, that specific site was removed. This was NOT in any way related to our TurboTax Online application nor was access gained through TurboTax Online. Additionally, our investigatio

Re:

[SD_92104]

[...] the suggestion in the referenced post is under consideration

You really need more than three months to consider that sending out random login names to customers is not a good idea? (I don't object to receiving my own username but I have issues with the fact that my username is being sent to other users as well!)

Sorry, but that answer is simply ridiculous and does not provide confidence in your overall security practices as well as the claims of an isolated incident!

Re:

[ArtLanguage]

Sorry, Bob, but those aren't "more facts," it's corporate spin:

> 1. This was a single, isolated incident. There have been no other reports of this type, and our ongoing investigation has not >identified any other customers affected by this issue. This issue resulted from an accidental and extremely unusual path to access
>a prior year return.

Ideally, it wouldn't be up to your customers to detect and report flaws in your software. And the fact that "an unusual path" is required shouldn't offer an

Re:

[bmeighan]

ArtLanguage... I've outlined what happened in response to another poster. These are not excuses. We take security very seriously and we continue to work diligently to maintain the highest security possible. We perform all the security procedures you outlined and more. We have acknowledged this incident, explained what happened and will improve upon those things that will help us ensure this does not happen again. To speak in more detail about the security procedures we follow would sinmply compromise our se